Hello
On Wed, 2014-02-19 at 18:05 +0100, Art -kwaak- van Breemen wrote:
> Hi Hans,
>
> On Wed, Feb 19, 2014 at 05:04:17PM +0100, Hans Schillstrom wrote:
> > The problem is if icmp6 is not the first header it will not work...
> > i.e. it can be other headers before icmp and if you have -1 you will not
> > always get the icmp header.
>
> Ah bah, I thought they move every extra header after the payload.
>
> > The patch that broke it was:
> > commit 9195bb8e381d81d5a315f911904cdf0cfcc919b8
> > Author: Ansis Atteka <aatteka@xxxxxxxxxx>
>
> I will take a hard look into that one :-).
>
> > --- a/net/ipv6/exthdrs_core.c 2014-02-19 16:36:22.031686037 +0100
> > +++ b/net/ipv6/exthdrs_core.c 2014-02-19 16:37:28.838082168 +0100
>
> If I patch my kernel:
> ard@freeze8dev:/mnt/source/kernels/build-hp-ws/l-3.13.3$ diff -u net/netfilter/ipvs/ip_vs_core.c{.org,} ;diff -u net/ipv6/exthdrs_core.c{.org,}
> --- net/netfilter/ipvs/ip_vs_core.c.org 2014-01-22 14:46:53.222738221 +0100
> +++ net/netfilter/ipvs/ip_vs_core.c 2014-02-19 17:48:09.306379357 +0100
> @@ -735,7 +735,10 @@
> struct ipv6hdr *ciph;
> unsigned short fragoffs;
>
> - ipv6_find_hdr(skb, &icmp_offset, IPPROTO_ICMPV6, &fragoffs, NULL);
> + EnterFunction(10);
> + protocol=ipv6_find_hdr(skb, &icmp_offset, IPPROTO_ICMPV6, &fragoffs, NULL);
> + //ipv6_find_hdr(skb, &icmp_offset, -1, &fragoffs, NULL);
> + IP_VS_DBG(15,"icmp_offset=%d,protocol=%d\n",icmp_offset,protocol);
> icmph = (struct icmp6hdr *)(skb_network_header(skb) + icmp_offset);
> offs = icmp_offset + sizeof(struct icmp6hdr);
> ciph = (struct ipv6hdr *)(skb_network_header(skb) + offs);
> @@ -780,6 +783,7 @@
> IP_VS_DBG_PKT(11, AF_INET6, pp, skb,
> (void *)ciph - (void *)iph,
> "Forwarding altered incoming ICMPv6");
> + LeaveFunction(10);
> }
> #endif
>
> --- net/ipv6/exthdrs_core.c.org 2013-11-06 13:32:34.653688901 +0100
> +++ net/ipv6/exthdrs_core.c 2014-02-19 17:49:38.771351902 +0100
> @@ -211,6 +211,8 @@
> unsigned int hdrlen;
> found = (nexthdr == target);
>
> + if (found && (target > 0))
> + break;
> if ((!ipv6_ext_hdr(nexthdr)) || nexthdr == NEXTHDR_NONE) {
> if (target < 0)
> break;
>
> I get this again:
> Feb 19 18:02:36 c43236 kernel: [106578.432947] IPVS: Enter: ip_vs_out, net/netfilter/ipvs/ip_vs_core.c line 1120
> Feb 19 18:02:36 c43236 kernel: [106578.432950] IPVS: Outgoing ICMPv6 (2,0) 2001:7b8:2ff:6f::1->2a02:310:0:1013::1005
> Feb 19 18:02:36 c43236 kernel: [106578.432954] IPVS: lookup/out TCP [2001:7b8:32d:0:1864:b6ff:febf:3636]:39993->[2a02:310:0:1013::1005]:80 not hit
> Feb 19 18:02:36 c43236 kernel: [106578.432956] IPVS: Incoming ICMPv6 (2,0) 2001:7b8:2ff:6f::1->2a02:310:0:1013::1005
> Feb 19 18:02:36 c43236 kernel: [106578.432960] IPVS: lookup/in TCP [2001:7b8:32d:0:1864:b6ff:febf:3636]:39993->[2a02:310:0:1013::1005]:80 hit
> Feb 19 18:02:36 c43236 kernel: [106578.432962] IPVS: Enter: ip_vs_icmp_xmit_v6, net/netfilter/ipvs/ip_vs_xmit.c line 1186
> Feb 19 18:02:36 c43236 kernel: [106578.432964] IPVS: Enter: ip_vs_nat_icmp_v6, net/netfilter/ipvs/ip_vs_core.c line 738
> Feb 19 18:02:36 c43236 kernel: [106578.432965] IPVS: icmp_offset=0,protocol=-2
This one bothers me,
Why does it returns -ENOENT ???
When enter ipv6_find_hdr() the initial nexthdr should be 0x3a ICMPv6
u8 nexthdr = ipv6_hdr(skb)->nexthdr;
and target also 0x3a i.e. found is true and target > 0
then break and return 3a
That didn't happen why ?
- Just a check did you rebuild ipv6 or if not a module the kernel ?
> Feb 19 18:02:36 c43236 kernel: [106578.432966] IPv6 header not found
> Feb 19 18:02:36 c43236 kernel: [106578.432969] IPVS: Leave: ip_vs_nat_icmp_v6, net/netfilter/ipvs/ip_vs_core.c line 786
> Feb 19 18:02:36 c43236 kernel: [106578.432974] IPVS: Leave: ip_vs_icmp_xmit_v6, net/netfilter/ipvs/ip_vs_xmit.c line 1263
>
> I will take a closer look...
>
> Regards,
> Ard
>
>
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
